CARIS Workshop Summary and Reflection

Kathleen Moriarty, Security AD & CARIS Program Committee Chair

The Internet Architecture Board (IAB) and the Internet Society (ISOC) hosted day-long Coordinating Attack Response at Internet Scale (CARIS) workshop took place last Friday in coordination with the Forum for Incident Response and Security Teams (FIRST) Conference in Berlin. The workshop included members of the FIRST community, attack response working group representatives (APWG, ACDC, etc.), network & security operators, RIR representatives, researchers, vendors, and representatives from standards communities. Key goals of the workshop were to improve mutual awareness, understanding, and coordination among the diverse participating organizations. The workshop also aimed at providing greater awareness of existing efforts to mitigate specific types of attacks, and greater understanding of the options others have to collaborate and engage with these efforts.

The day-long workshop included a mix of invited and selected speakers with opportunities to collaborate throughout, taking full advantage of the tremendous value of having these diverse communities with common goals in one room. There were approximately 50 participants engaged in the CARIS workshop from the 25 papers received and additional 20 template submissions. The template submissions will be maintained at the Internet Society web site and as a result of the workshop will be amended to provide additional value to the computer security incident response teams (CSIRTs) and attack response communities/operators on their information exchange activities. The CARIS participants found the template submissions to be very useful in coordinating their future attack mitigation efforts. Nothing like this had previously been done — this is open for the global community and hosted in a neutral location. All submissions are linked from the agenda.

The workshop talks and panels involved full participation from attendees who were required to read all other submissions. The panels were organized to spur conversation between specific groups to see if we could further progress towards more efficient and effective attack mitigation efforts. See paper and blog series for additional information on possible approaches to accomplish more effective attack response and information exchanges with methods that require fewer analysts.

Panel groups:

Coordination between CSIRTS and attack response mitigation efforts

Distributed Denial of Service and Botnet researchers, vendors, and operators

Infrastructure: DNS and RIR providers and researchers

Trust and Privacy with the exchange of potentially sensitive information

IAB wrap up for architecture next steps

There were a few items that stood out to me from the workshop (more to be included in the formal report):

The participants are interested in expanded information on the resources and assistance offered by the RIRs and DNS providers. Participants are going to define what is needed with follow through on next steps.

Another reoccurring theme was the lack of knowledge by the community of basic security principles such as ingress and egress filtering explained in BCP38. The CSIRTS, operators, and vendors of attack mitigation tools found this particularly frustrating. As a result, follow up activities may include determining if security guidance BCPs require updates or to determine whether there are opportunities to educate on these basic principles already documented by the IETF.

After the workshop, the Internet Society hosted a three and a half hour boat tour through the canals of Berlin, offering additional time for collaboration among participants. One of the lively discussions was the need for better transports for information exchange. As the author of Real-time Inter-network Defense (RID), I agree. RID was written more than 10 years ago and while the patterns established still show promise, there are updated solutions being worked on. One such solution is in the IETF DOTS working group, that has an approach similar to RID with updated formats and protocols to meet the demands of todays DDoS attacks. While TAXII (another transport option) is just in transition to OASIS, its base is similar to RID in its use of SOAP-like messaging, which will likely prevent it from scaling to the demands of the Internet. Vendors also cited several interoperability challenges in TAXII. Alternatively, XMPP-Grid has been proposed in the IETF SACM working group and it offers promise as the data exchange protocol. XMPP inherently meets the requirements for today’s information exchanges with features such as publish/subscribe, federation, and use of a control channel. XMPP-grid is taking off too with at least 10 current vendors using open source code in their products with several more planning to add support. Review and discussion of this draft would be helpful. REST was also brought up as a needed interface. IETF’s MILE has a draft detailing a common RESTful interface (ROLIE) that could be used with any data format and may be of interest. It would be good to hear from the community if this draft is of value to assist with that gap and it would be resurrected if helpful.

This blog just offers a taste of the workshop and a full report will be forthcoming as will follow up from the IAB on this important meeting. As the workshop chair, I was very excited that the CARIS workshop had over 20% female participation! In a field where the percentage is usually between 12-18%, this was impressive.

I would like to offer a sincere thank you to each of the program committee members as well as our sponsors:

FIRST provided a room and excellent facilities in partnership with their annual conference in Berlin.

The Internet Society hosted the social event, a boat ride through the canals of Berlin.

EMC Corporation provided lunch, snacks and coffee throughout the day to keep us going!